This tutorial covers the process of imaging a hard drive that has already been removed from a system with FTK Imager and a write blocker. FTK Imager comes in two versions, one that is installed on a pc and one that can be used during incident response from a thumb drive. We will be using the installed version for this tutorial, but both look and function the same. I will cover the following key steps in the process:
Building a Virtual Cyber Security Lab Part 1 – SANS SIFT
In this post we will start creating a virtualized cyber security training environment by installing the SANS SiFT forensics workstation virtual appliance. In order to get the necessary skills to become a cyber security analyst one must practice in an environment with all the tools and a few sacrificial lambs. As you might expect most businesses will not let you use their production environments for this. So what are aspiring cyber security analyst to do? Build a test lab of course. A good lab environment will provide the analyst with all of the tools necessary to launch attacks, detect the attacks, and respond to the attacks.
How to use Maxmind GeoLite2 to obtain GeoIP data from the command line
Today let’s talk about how to use Maxmind’s Geolite2 to get geoip data from the command line in Linux. This post is an update to the original “using GeoIP data from the command line” post from September. Maxmind GeoLite legacy databases were discontinued on January 2, 2019 and have moved to the new GeoLite2 format and makes the original article obsolete. The new format requires new tools and scripts so I will treat it as a new article from a technical perspective, however the practical use is still the same from a security analyst’s perspective. So let’s dive right in and get the new format setup and ready to use.
Using GeoIP data from the command line
Today’s topic is using GeoIP data from the command line. Security analysts often find they need to ascertain an IP addresses geographic location in order to make decisions. The most obvious use would be around geofencing, i.e. blocking IP’s from certain countries or regions. GeoIP information is simple to acquire from the Linux command line with the tool geoiplookup and the Maxmind dat files. Here is an updated post and video on how to use Maxmind’s GeoLite2 database. How to use GeoLite2 on the command line.